@jaypie/constructs 1.2.58 → 1.2.60

package/dist/esm/index.js

@@ -1,5 +1,5 @@
 import * as cdk from 'aws-cdk-lib';
-import { Tags, Stack, Fn, CfnOutput, SecretValue, RemovalPolicy, Duration, CfnStack } from 'aws-cdk-lib';
+import { Tags, Stack, SecretValue, RemovalPolicy, Fn, CfnOutput, Duration, CfnStack } from 'aws-cdk-lib';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import { Bucket, StorageClass, BucketAccessControl, EventType } from 'aws-cdk-lib/aws-s3';
 import { Construct } from 'constructs';
@@ -937,115 +937,67 @@ const resolveParamsAndSecrets = ({ paramsAndSecrets, options, } = {}) => {
     return resolvedParamsAndSecrets;
 };
 
-// It is a consumer if the environment is ephemeral
-function checkEnvIsConsumer$1(env = process.env) {
-    return (env.PROJECT_ENV === CDK$2.ENV.PERSONAL ||
-        !!env.CDK_ENV_PERSONAL ||
-        /** @deprecated */ env.PROJECT_ENV === "ephemeral" ||
-        /** @deprecated */ !!env.CDK_ENV_EPHEMERAL);
-}
-function checkEnvIsProvider$1(env = process.env) {
-    return env.PROJECT_ENV === CDK$2.ENV.SANDBOX;
-}
-function cleanName$1(name) {
-    return name.replace(/[^a-zA-Z0-9:-]/g, "");
-}
-function exportEnvName$1(name, env = process.env, consumer = false) {
-    let rawName;
-    if (checkEnvIsProvider$1(env)) {
-        rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
-        // Clean the entire name to only allow alphanumeric, colons, and hyphens
-        return cleanName$1(rawName);
-    }
-    else {
-        if (consumer || checkEnvIsConsumer$1(env)) {
-            rawName = `env-${CDK$2.ENV.SANDBOX}-${env.PROJECT_KEY}-${name}`;
-        }
-        else {
-            rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
-        }
-    }
-    return cleanName$1(rawName);
-}
-class JaypieEnvSecret extends Construct {
+class JaypieSecret extends Construct {
     constructor(scope, idOrEnvKey, props) {
         // Shorthand detection: treat idOrEnvKey as envKey when envKey prop is
         // not set and idOrEnvKey either looks like a SCREAMING_SNAKE_CASE env
         // var name or is already present in process.env. Convention-based
         // detection ensures missing env vars still go through envKey validation
         // instead of silently creating an empty secret.
+        const prefix = new.target.shorthandPrefix;
         const looksLikeEnvKey = /^[A-Z][A-Z0-9_]*$/.test(idOrEnvKey);
         const treatAsEnvKey = (!props || props.envKey === undefined) &&
             (looksLikeEnvKey ||
                 (typeof process.env[idOrEnvKey] === "string" &&
                     process.env[idOrEnvKey] !== ""));
-        const id = treatAsEnvKey ? `EnvSecret_${idOrEnvKey}` : idOrEnvKey;
+        const id = treatAsEnvKey ? `${prefix}${idOrEnvKey}` : idOrEnvKey;
         super(scope, id);
-        const { consumer = checkEnvIsConsumer$1(), envKey: envKeyProp, export: exportParam, generateSecretString, provider = checkEnvIsProvider$1(), removalPolicy, roleTag, vendorTag, value, } = props || {};
-        const envKey = treatAsEnvKey ? idOrEnvKey : envKeyProp;
+        const envKey = treatAsEnvKey ? idOrEnvKey : props?.envKey;
         this._envKey = envKey;
-        let exportName;
-        if (!exportParam) {
-            // When shorthand detection is active, use the full construct id (which
-            // includes the "EnvSecret_" prefix) so the export name matches what was
-            // produced by earlier versions of this construct. Using the raw envKey
-            // here produces a shorter name that breaks existing cross-stack imports.
-            const exportSource = treatAsEnvKey ? id : envKey || id;
-            exportName = exportEnvName$1(exportSource, process.env, consumer);
-        }
-        else {
-            exportName = cleanName$1(exportParam);
-        }
-        if (!consumer &&
-            envKey &&
+        this._secret = this.buildSecret({
+            envKey,
+            id,
+            props: props || {},
+            treatAsEnvKey,
+        });
+    }
+    /**
+     * Builds the underlying secret. The base implementation always creates a new
+     * Secrets Manager secret from an envKey value, an explicit value, or a
+     * generated string. Subclasses may override to import an existing secret or
+     * emit cross-stack outputs.
+     */
+    buildSecret(context) {
+        const { envKey, id, props } = context;
+        const { generateSecretString, removalPolicy, roleTag, vendorTag, value } = props;
+        if (envKey &&
             !process.env[envKey] &&
             value === undefined &&
             !generateSecretString) {
-            throw new ConfigurationError(`JaypieEnvSecret(${id}): envKey "${envKey}" is empty in process.env and no value or generateSecretString was provided`);
+            throw new ConfigurationError(`JaypieSecret(${id}): envKey "${envKey}" is empty in process.env and no value or generateSecretString was provided`);
         }
-        if (consumer) {
-            const secretName = Fn.importValue(exportName);
-            this._secret = secretsmanager.Secret.fromSecretNameV2(this, id, secretName);
-            // Add CfnOutput for consumer secrets
-            new CfnOutput(this, `ConsumedName`, {
-                value: this._secret.secretName,
-            });
+        const secretValue = envKey && process.env[envKey] ? process.env[envKey] : value;
+        const secret = new secretsmanager.Secret(this, id, {
+            generateSecretString,
+            secretStringValue: !generateSecretString && secretValue
+                ? SecretValue.unsafePlainText(secretValue)
+                : undefined,
+        });
+        if (removalPolicy !== undefined) {
+            const policy = typeof removalPolicy === "boolean"
+                ? removalPolicy
+                    ? RemovalPolicy.RETAIN
+                    : RemovalPolicy.DESTROY
+                : removalPolicy;
+            secret.applyRemovalPolicy(policy);
         }
-        else {
-            const secretValue = envKey && process.env[envKey] ? process.env[envKey] : value;
-            const secretProps = {
-                generateSecretString,
-                secretStringValue: !generateSecretString && secretValue
-                    ? SecretValue.unsafePlainText(secretValue)
-                    : undefined,
-            };
-            this._secret = new secretsmanager.Secret(this, id, secretProps);
-            if (removalPolicy !== undefined) {
-                const policy = typeof removalPolicy === "boolean"
-                    ? removalPolicy
-                        ? RemovalPolicy.RETAIN
-                        : RemovalPolicy.DESTROY
-                    : removalPolicy;
-                this._secret.applyRemovalPolicy(policy);
-            }
-            if (roleTag) {
-                Tags.of(this._secret).add(CDK$2.TAG.ROLE, roleTag);
-            }
-            if (vendorTag) {
-                Tags.of(this._secret).add(CDK$2.TAG.VENDOR, vendorTag);
-            }
-            if (provider) {
-                new CfnOutput(this, `ProvidedName`, {
-                    value: this._secret.secretName,
-                    exportName,
-                });
-            }
-            else {
-                new CfnOutput(this, `CreatedName`, {
-                    value: this._secret.secretName,
-                });
-            }
+        if (roleTag) {
+            Tags.of(secret).add(CDK$2.TAG.ROLE, roleTag);
+        }
+        if (vendorTag) {
+            Tags.of(secret).add(CDK$2.TAG.VENDOR, vendorTag);
         }
+        return secret;
     }
     // IResource implementation
     get stack() {
@@ -1107,6 +1059,117 @@ class JaypieEnvSecret extends Construct {
         return this._envKey;
     }
 }
+// Construct id prefix used when an envKey is detected via shorthand.
+// Subclasses override this to preserve their own naming conventions.
+JaypieSecret.shorthandPrefix = "Secret_";
+
+// It is a consumer if the environment is ephemeral
+function checkEnvIsConsumer$1(env = process.env) {
+    return (env.PROJECT_ENV === CDK$2.ENV.PERSONAL ||
+        !!env.CDK_ENV_PERSONAL ||
+        /** @deprecated */ env.PROJECT_ENV === "ephemeral" ||
+        /** @deprecated */ !!env.CDK_ENV_EPHEMERAL);
+}
+function checkEnvIsProvider$1(env = process.env) {
+    return env.PROJECT_ENV === CDK$2.ENV.SANDBOX;
+}
+function cleanName$1(name) {
+    return name.replace(/[^a-zA-Z0-9:-]/g, "");
+}
+function exportEnvName$1(name, env = process.env, consumer = false) {
+    let rawName;
+    if (checkEnvIsProvider$1(env)) {
+        rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
+        // Clean the entire name to only allow alphanumeric, colons, and hyphens
+        return cleanName$1(rawName);
+    }
+    else {
+        if (consumer || checkEnvIsConsumer$1(env)) {
+            rawName = `env-${CDK$2.ENV.SANDBOX}-${env.PROJECT_KEY}-${name}`;
+        }
+        else {
+            rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
+        }
+    }
+    return cleanName$1(rawName);
+}
+/**
+ * @deprecated Use {@link JaypieSecret}. JaypieEnvSecret layers an
+ * environment-driven provider/consumer cross-stack pattern on top of
+ * JaypieSecret and will be removed in 2.0.
+ */
+class JaypieEnvSecret extends JaypieSecret {
+    constructor(scope, idOrEnvKey, props) {
+        super(scope, idOrEnvKey, props);
+    }
+    buildSecret(context) {
+        const { envKey, id, treatAsEnvKey } = context;
+        const props = context.props;
+        const { consumer = checkEnvIsConsumer$1(), export: exportParam, generateSecretString, provider = checkEnvIsProvider$1(), removalPolicy, roleTag, vendorTag, value, } = props;
+        let exportName;
+        if (!exportParam) {
+            // When shorthand detection is active, use the full construct id (which
+            // includes the "EnvSecret_" prefix) so the export name matches what was
+            // produced by earlier versions of this construct. Using the raw envKey
+            // here produces a shorter name that breaks existing cross-stack imports.
+            const exportSource = treatAsEnvKey ? id : envKey || id;
+            exportName = exportEnvName$1(exportSource, process.env, consumer);
+        }
+        else {
+            exportName = cleanName$1(exportParam);
+        }
+        if (!consumer &&
+            envKey &&
+            !process.env[envKey] &&
+            value === undefined &&
+            !generateSecretString) {
+            throw new ConfigurationError(`JaypieEnvSecret(${id}): envKey "${envKey}" is empty in process.env and no value or generateSecretString was provided`);
+        }
+        if (consumer) {
+            const secretName = Fn.importValue(exportName);
+            const secret = secretsmanager.Secret.fromSecretNameV2(this, id, secretName);
+            // Add CfnOutput for consumer secrets
+            new CfnOutput(this, `ConsumedName`, {
+                value: secret.secretName,
+            });
+            return secret;
+        }
+        const secretValue = envKey && process.env[envKey] ? process.env[envKey] : value;
+        const secret = new secretsmanager.Secret(this, id, {
+            generateSecretString,
+            secretStringValue: !generateSecretString && secretValue
+                ? SecretValue.unsafePlainText(secretValue)
+                : undefined,
+        });
+        if (removalPolicy !== undefined) {
+            const policy = typeof removalPolicy === "boolean"
+                ? removalPolicy
+                    ? RemovalPolicy.RETAIN
+                    : RemovalPolicy.DESTROY
+                : removalPolicy;
+            secret.applyRemovalPolicy(policy);
+        }
+        if (roleTag) {
+            Tags.of(secret).add(CDK$2.TAG.ROLE, roleTag);
+        }
+        if (vendorTag) {
+            Tags.of(secret).add(CDK$2.TAG.VENDOR, vendorTag);
+        }
+        if (provider) {
+            new CfnOutput(this, `ProvidedName`, {
+                value: secret.secretName,
+                exportName,
+            });
+        }
+        else {
+            new CfnOutput(this, `CreatedName`, {
+                value: secret.secretName,
+            });
+        }
+        return secret;
+    }
+}
+JaypieEnvSecret.shorthandPrefix = "EnvSecret_";
 
 /**
  * Cache for secrets by scope to avoid creating duplicates.
@@ -1143,11 +1206,11 @@ function getOrCreateSecret(scope, envKey, props) {
     return secret;
 }
 /**
- * Resolves secrets input to an array of JaypieEnvSecret instances.
+ * Resolves secrets input to an array of JaypieSecret instances.
  *
- * When an item is already a JaypieEnvSecret, it's passed through as-is.
- * When an item is a string, a JaypieEnvSecret is created (or reused from cache)
- * with the string as the envKey.
+ * When an item is already a JaypieSecret (including a JaypieEnvSecret), it's
+ * passed through as-is. When an item is a string, a JaypieEnvSecret is created
+ * (or reused from cache) with the string as the envKey.
  *
  * Secrets are cached per scope to avoid creating duplicate secrets when
  * multiple constructs in the same scope reference the same secret.
@@ -1183,7 +1246,7 @@ function resolveSecrets(scope, secrets) {
         if (typeof item === "string") {
             return getOrCreateSecret(scope, item);
         }
-        // Already a JaypieEnvSecret instance
+        // Already a JaypieSecret (or JaypieEnvSecret) instance
         return item;
     });
 }
@@ -1204,6 +1267,148 @@ function clearAllSecretsCaches() {
     // between test runs. For testing, use clearSecretsCache(scope) instead.
 }
 
+/**
+ * Canonical sub-rule names for each AWS managed rule group, as published in the
+ * AWS WAF developer guide. Used to validate `waf.allow` and
+ * `waf.managedRuleOverrides` rule names at synth time — AWS WAF matches
+ * `RuleActionOverride` on the exact rule *name* and silently ignores names that
+ * match no rule, so a typo or a label/name casing mismatch (e.g. the label
+ * `…:NoUserAgent_Header` vs the rule name `NoUserAgent_HEADER`) becomes an
+ * undiagnosable no-op.
+ *
+ * Groups absent from this map (custom rule groups, or AWS groups not yet
+ * mirrored here) are not validated.
+ *
+ * @see https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
+ */
+const AWS_MANAGED_RULE_GROUPS = {
+    AWSManagedRulesAdminProtectionRuleSet: ["AdminProtection_URIPATH"],
+    AWSManagedRulesAmazonIpReputationList: [
+        "AWSManagedIPDDoSList",
+        "AWSManagedIPReputationList",
+        "AWSManagedReconnaissanceList",
+    ],
+    AWSManagedRulesAnonymousIpList: ["AnonymousIPList", "HostingProviderIPList"],
+    AWSManagedRulesCommonRuleSet: [
+        "CrossSiteScripting_BODY",
+        "CrossSiteScripting_COOKIE",
+        "CrossSiteScripting_QUERYARGUMENTS",
+        "CrossSiteScripting_URIPATH",
+        "EC2MetaDataSSRF_BODY",
+        "EC2MetaDataSSRF_COOKIE",
+        "EC2MetaDataSSRF_QUERYARGUMENTS",
+        "EC2MetaDataSSRF_URIPATH",
+        "GenericLFI_BODY",
+        "GenericLFI_QUERYARGUMENTS",
+        "GenericLFI_URIPATH",
+        "GenericRFI_BODY",
+        "GenericRFI_QUERYARGUMENTS",
+        "GenericRFI_URIPATH",
+        "NoUserAgent_HEADER",
+        "RestrictedExtensions_QUERYARGUMENTS",
+        "RestrictedExtensions_URIPATH",
+        "SizeRestrictions_BODY",
+        "SizeRestrictions_Cookie_HEADER",
+        "SizeRestrictions_QUERYSTRING",
+        "SizeRestrictions_URIPATH",
+        "UserAgent_BadBots_HEADER",
+    ],
+    AWSManagedRulesKnownBadInputsRuleSet: [
+        "ExploitablePaths_URIPATH",
+        "Host_localhost_HEADER",
+        "JavaDeserializationRCE_BODY",
+        "JavaDeserializationRCE_HEADER",
+        "JavaDeserializationRCE_QUERYSTRING",
+        "JavaDeserializationRCE_URIPATH",
+        "Log4JRCE_BODY",
+        "Log4JRCE_HEADER",
+        "Log4JRCE_QUERYSTRING",
+        "Log4JRCE_URIPATH",
+        "PROPFIND_METHOD",
+        "ReactJSRCE_BODY",
+    ],
+    AWSManagedRulesLinuxRuleSet: ["LFI_HEADER", "LFI_QUERYSTRING", "LFI_URIPATH"],
+    AWSManagedRulesPHPRuleSet: [
+        "PHPHighRiskMethodsVariables_BODY",
+        "PHPHighRiskMethodsVariables_HEADER",
+        "PHPHighRiskMethodsVariables_QUERYSTRING",
+        "PHPHighRiskMethodsVariables_URIPATH",
+    ],
+    AWSManagedRulesSQLiRuleSet: [
+        "SQLiExtendedPatterns_BODY",
+        "SQLiExtendedPatterns_HEADER",
+        "SQLiExtendedPatterns_QUERYARGUMENTS",
+        "SQLiExtendedPatterns_URIPATH",
+        "SQLi_BODY",
+        "SQLi_COOKIE",
+        "SQLi_QUERYARGUMENTS",
+        "SQLi_URIPATH",
+    ],
+    AWSManagedRulesUnixRuleSet: [
+        "UNIXShellCommandsVariables_BODY",
+        "UNIXShellCommandsVariables_HEADER",
+        "UNIXShellCommandsVariables_QUERYSTRING",
+    ],
+    AWSManagedRulesWindowsRuleSet: [
+        "PowerShellCommands_BODY",
+        "PowerShellCommands_COOKIE",
+        "PowerShellCommands_QUERYARGUMENTS",
+        "WindowsShellCommands_BODY",
+        "WindowsShellCommands_HEADER",
+        "WindowsShellCommands_QUERYARGUMENTS",
+        "WindowsShellCommands_QUERYSTRING",
+        "WindowsShellCommands_URIPATH",
+    ],
+    AWSManagedRulesWordPressRuleSet: [
+        "WordPressExploitableCommands_QUERYSTRING",
+        "WordPressExploitablePaths_URIPATH",
+    ],
+};
+/**
+ * Throw a ConfigurationError if any `waf.allow` or `waf.managedRuleOverrides`
+ * rule name does not exist in its AWS managed rule group. Groups not present in
+ * AWS_MANAGED_RULE_GROUPS (custom groups) are skipped. A name that matches no
+ * rule would otherwise be silently ignored by AWS WAF.
+ */
+function assertValidWafRuleNames({ allow, managedRuleOverrides, } = {}) {
+    // Collect (group → referenced rule name) pairs from both inputs.
+    const references = [];
+    if (managedRuleOverrides) {
+        for (const [group, overrides] of Object.entries(managedRuleOverrides)) {
+            for (const override of overrides ?? []) {
+                if (override?.name)
+                    references.push({ group, ruleName: override.name });
+            }
+        }
+    }
+    const allowEntries = allow ? (Array.isArray(allow) ? allow : [allow]) : [];
+    for (const entry of allowEntries) {
+        for (const key of Object.keys(entry)) {
+            if (key === "path")
+                continue;
+            const raw = entry[key];
+            if (raw == null)
+                continue;
+            const ruleNames = Array.isArray(raw) ? raw : [raw];
+            for (const ruleName of ruleNames) {
+                references.push({ group: key, ruleName });
+            }
+        }
+    }
+    for (const { group, ruleName } of references) {
+        const validNames = AWS_MANAGED_RULE_GROUPS[group];
+        if (!validNames)
+            continue; // Unknown/custom group — cannot validate
+        if (!validNames.includes(ruleName)) {
+            throw new ConfigurationError(`WAF rule "${ruleName}" is not a rule in ${group}. AWS WAF matches ` +
+                `RuleActionOverrides on the exact rule name and silently ignores ` +
+                `unmatched names (note the label/name casing trap, e.g. ` +
+                `"NoUserAgent_HEADER" not "NoUserAgent_Header"). Valid rule names: ` +
+                `${validNames.join(", ")}.`);
+        }
+    }
+}
+
 class JaypieApiGateway extends Construct {
     constructor(scope, id, props) {
         super(scope, id);
@@ -1393,12 +1598,12 @@ class JaypieLambda extends Construct {
         super(scope, id);
         const { allowAllOutbound, allowPublicSubnet, architecture = lambda.Architecture.X86_64, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, tables = [], environment: environmentInput, envSecrets = {}, ephemeralStorageSize, filesystem, handler = "index.handler", initialPolicy, layers = [], logGroup, logRetention = CDK$2.LAMBDA.LOG_RETENTION, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag = CDK$2.ROLE.PROCESSING, runtime = new lambda.Runtime("nodejs24.x", lambda.RuntimeFamily.NODEJS, {
             supportsInlineCode: true,
-        }), runtimeManagementMode, secrets: secretsInput = [], securityGroups, timeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, vpc, vpcSubnets, } = props;
+        }), runtimeManagementMode, secrets: secretsInput = [], securityGroups, serviceTag, timeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, vpc, vpcSubnets, } = props;
         // Resolve environment from array or object syntax
         const initialEnvironment = resolveEnvironment(environmentInput);
         // Get base environment with defaults
         const environment = jaypieLambdaEnv({ initialEnvironment });
-        // Resolve secrets from mixed array (strings and JaypieEnvSecret instances)
+        // Resolve secrets from mixed array (strings and JaypieSecret instances)
         // Use Stack.of(this) to ensure secrets are shared at stack level across all constructs
         const secrets = resolveSecrets(Stack.of(this), secretsInput);
         const codeAsset = typeof code === "string" ? lambda.Code.fromAsset(code) : code;
@@ -1409,7 +1614,7 @@ class JaypieLambda extends Construct {
             ...acc,
             [`SECRET_${key}`]: secret.secretName,
         }), {});
-        // Process JaypieEnvSecret array
+        // Process JaypieSecret array
         const jaypieSecretsEnvironment = secrets.reduce((acc, secret) => {
             if (secret.envKey) {
                 return {
@@ -1479,7 +1684,7 @@ class JaypieLambda extends Construct {
         Object.values(envSecrets).forEach((secret) => {
             secret.grantRead(this._lambda);
         });
-        // Grant read permissions for JaypieEnvSecrets
+        // Grant read permissions for JaypieSecrets
         secrets.forEach((secret) => {
             secret.grantRead(this._lambda);
         });
@@ -1507,6 +1712,9 @@ class JaypieLambda extends Construct {
         if (roleTag) {
             Tags.of(this._lambda).add(CDK$2.TAG.ROLE, roleTag);
         }
+        if (serviceTag) {
+            Tags.of(this._lambda).add(CDK$2.TAG.SERVICE, serviceTag);
+        }
         if (vendorTag) {
             Tags.of(this._lambda).add(CDK$2.TAG.VENDOR, vendorTag);
         }
@@ -1631,7 +1839,7 @@ class JaypieQueuedLambda extends Construct {
         super(scope, id);
         const { allowAllOutbound, allowPublicSubnet, architecture, batchSize = 1, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment = {}, envSecrets = {}, ephemeralStorageSize, fifo = true, filesystem, handler = "index.handler", initialPolicy, layers = [], logGroup, logRetention = CDK$2.LAMBDA.LOG_RETENTION, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag, runtime = new lambda.Runtime("nodejs24.x", lambda.RuntimeFamily.NODEJS, {
             supportsInlineCode: true,
-        }), runtimeManagementMode, secrets = [], securityGroups, tables = [], timeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, visibilityTimeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), vpc, vpcSubnets, } = props;
+        }), runtimeManagementMode, secrets = [], securityGroups, serviceTag, tables = [], timeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, visibilityTimeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), vpc, vpcSubnets, } = props;
         // Create SQS Queue
         this._queue = new sqs.Queue(this, "Queue", {
             fifo,
@@ -1642,6 +1850,9 @@ class JaypieQueuedLambda extends Construct {
         if (roleTag) {
             Tags.of(this._queue).add(CDK$2.TAG.ROLE, roleTag);
         }
+        if (serviceTag) {
+            Tags.of(this._queue).add(CDK$2.TAG.SERVICE, serviceTag);
+        }
         if (vendorTag) {
             Tags.of(this._queue).add(CDK$2.TAG.VENDOR, vendorTag);
         }
@@ -1679,6 +1890,7 @@ class JaypieQueuedLambda extends Construct {
             runtimeManagementMode,
             secrets,
             securityGroups,
+            serviceTag,
             tables,
             timeout,
             tracing,
@@ -1873,7 +2085,7 @@ class JaypieBucketQueuedLambda extends JaypieQueuedLambda {
     constructor(scope, id, props) {
         props.fifo = false; // S3 event notifications are not supported for FIFO queues
         super(scope, id, props);
-        const { bucketName, roleTag, vendorTag, bucketOptions = {} } = props;
+        const { bucketName, roleTag, serviceTag, vendorTag, bucketOptions = {}, } = props;
         // Create S3 Bucket
         this._bucket = new s3.Bucket(this, "Bucket", {
             bucketName: bucketOptions.bucketName || bucketName,
@@ -1884,6 +2096,9 @@ class JaypieBucketQueuedLambda extends JaypieQueuedLambda {
         if (roleTag) {
             Tags.of(this._bucket).add(CDK$2.TAG.ROLE, roleTag);
         }
+        if (serviceTag) {
+            Tags.of(this._bucket).add(CDK$2.TAG.SERVICE, serviceTag);
+        }
         if (vendorTag) {
             Tags.of(this._bucket).add(CDK$2.TAG.VENDOR, vendorTag);
         }
@@ -2687,6 +2902,8 @@ class JaypieDistribution extends Construct {
             else {
                 // Create new WebACL
                 const { allow, managedRuleOverrides, managedRuleScopeDowns, managedRules = DEFAULT_MANAGED_RULES$1, rateLimitPerIp = DEFAULT_RATE_LIMIT$1, } = wafConfig;
+                // Fail synth on rule names AWS WAF would silently ignore (#362)
+                assertValidWafRuleNames({ allow, managedRuleOverrides });
                 const allowEntries = allow
                     ? Array.isArray(allow)
                         ? allow
@@ -3721,7 +3938,7 @@ class JaypieNextJs extends Construct {
             ? path.join(process.cwd(), props.nextjsPath)
             : props?.nextjsPath || path.join(process.cwd(), "..", "nextjs");
         const paramsAndSecrets = resolveParamsAndSecrets();
-        // Resolve secrets from mixed array (strings and JaypieEnvSecret instances)
+        // Resolve secrets from mixed array (strings and JaypieSecret instances)
         // Use Stack.of(this) to ensure secrets are shared at stack level across all constructs
         const secrets = resolveSecrets(Stack.of(this), props?.secrets);
         // Process secrets environment variables
@@ -3729,7 +3946,7 @@ class JaypieNextJs extends Construct {
             ...acc,
             [`SECRET_${key}`]: secret.secretName,
         }), {});
-        // Process JaypieEnvSecret array
+        // Process JaypieSecret array
         const jaypieSecretsEnvironment = secrets.reduce((acc, secret) => {
             if (secret.envKey) {
                 return {
@@ -3804,7 +4021,7 @@ class JaypieNextJs extends Construct {
         Object.values(envSecrets).forEach((secret) => {
             secret.grantRead(nextjs.serverFunction.lambdaFunction);
         });
-        // Grant read permissions for JaypieEnvSecrets
+        // Grant read permissions for JaypieSecrets
         secrets.forEach((secret) => {
             secret.grantRead(nextjs.serverFunction.lambdaFunction);
         });
@@ -4673,6 +4890,8 @@ class JaypieWebDeploymentBucket extends Construct {
                 }
                 else {
                     const { managedRuleOverrides, managedRuleScopeDowns, managedRules = DEFAULT_MANAGED_RULES, rateLimitPerIp = DEFAULT_RATE_LIMIT, } = wafConfig;
+                    // Fail synth on rule names AWS WAF would silently ignore (#362)
+                    assertValidWafRuleNames({ managedRuleOverrides });
                     let priority = 0;
                     const rules = [];
                     for (const ruleName of managedRules) {
@@ -5346,5 +5565,5 @@ class JaypieWebSocketTable extends Construct {
     }
 }
 
-export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieCertificate, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieDynamoDb, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMigration, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, JaypieWebSocket, JaypieWebSocketLambda, JaypieWebSocketTable, addDatadogLayers, clearAllCertificateCaches, clearAllSecretsCaches, clearCertificateCache, clearSecretsCache, constructEnvName, constructStackName, constructTagger, constructWafLogBucketName, ensureRoute53QueryLoggingPolicy, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveCertificate, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveEnvironment, resolveHostedZone, resolveParamsAndSecrets, resolveSecrets };
+export { AWS_MANAGED_RULE_GROUPS, CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieCertificate, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieDynamoDb, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMigration, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSecret, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, JaypieWebSocket, JaypieWebSocketLambda, JaypieWebSocketTable, addDatadogLayers, assertValidWafRuleNames, clearAllCertificateCaches, clearAllSecretsCaches, clearCertificateCache, clearSecretsCache, constructEnvName, constructStackName, constructTagger, constructWafLogBucketName, ensureRoute53QueryLoggingPolicy, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveCertificate, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveEnvironment, resolveHostedZone, resolveParamsAndSecrets, resolveSecrets };
 //# sourceMappingURL=index.js.map